5,000 alerted of records breach in abuse of drivers’ data by DNR employee

Article by: ERIC ROPER

Star Tribune

January 16, 2013 - 9:38 AM

State officials said Tuesday they're alerting 5,000 people that a public employee accessed their driver's license information inappropriately, the latest case illustrating widespread misuse of the protected database.

The state's driver and vehicle services (DVS) database, which contains addresses, photographs and driving records on nearly every Minnesotan, has recently been the subject of at least two lawsuits and a criminal case stemming from misuse.

On Tuesday, the Department of Natural Resources said it discovered that one of its employees had accessed the database without authorization, affecting thousands of people over several years.

The agency said it does not think the information was sold, disclosed or used for a criminal purpose. The unnamed employee who made the queries is no longer employed by the agency, though it remains unclear if the worker was fired.

"We have no indication that there's any kind of pattern of misuse by any other employees," agency spokesman Chris Niskanen said.

The driver's license database is protected by state and federal law, but state records show that public employees commonly misuse it by accessing files without a business purpose. Criminal prosecutions are rare.

The Department of Public Safety, which oversees the database, said Tuesday that the DNR case was sent to the St. Paul city attorney's office for review of possible criminal charges.

The Legislature is likely to take a close look at DVS misuse this session, starting with the release of a legislative auditor's report on the database due out next month.

"We need to figure this out," said Sen. Scott Dibble, Senate Transportation Committee chairman, adding that he wants to know why the misuse has appeared so frequently in recent years.

Dibble, DFL-Minneapolis, said he plans to hold a hearing that will look at the legislative auditor's report and the frequent incidents.

Tuesday's case isn't the first DVS breach involving thousands of victims. In April, the Department of Public Safety discovered misuse by a repossession company employee that affected 3,700 Minnesotans. The department said Tuesday that charges in that case are still under consideration.

Rock County, in southwestern Minnesota, sent out at least 3,000 data-breach letters in May 2011 after a child support officer made nearly 4,000 photo queries over four months.

Twenty-four of those victims filed suit against the county and the employee last November.

The misuse can come at a cost for taxpayers. Former St. Paul police officer Anne Marie Rasmusson won more than $1 million in settlements from local governments last year after alleging in a lawsuit that police officers in jurisdictions across the state had inappropriately accessed her driver's license records. Public Safety Commissioner Mona Dohman remains a defendant in the suit.

The Department of Public Safety does regular audits of the database's top users and this month began also performing random audits. Investigating suspected misuse and imposing discipline are left to the local jurisdictions, which dole out punishments ranging from reprimands to termination.

In rare instances, criminal charges are filed. That was the case in Minneapolis in September, when the city's housing inspections chief and one of his subordinates were charged with inappropriately accessing driver's license data. A Hennepin County judge is considering a motion to dismiss that case.

Niskanen said the agency learned of the latest misuse while conducting an unrelated investigation, and it asked the Bureau of Criminal Apprehension to examine it.

He would not say which department the person worked in.

The department has reported the unauthorized data access to the three main credit reporting agencies as required by state law. They also are recommending that those individuals monitor their credit reports.